News

SquidClamav 6.11, Monday Mars 10 2014

This release adds support to icap template allowing to display a templated response on block instead of redirecting to an external URL. Add new lines into HTTP and ICAP response header to set X-Infection-Found and X-Virus-ID when a virus is found. With the possiblity to scan data sent without preview this allow some commercial product like MoveIt DMZ to work with c-icap and squidclamav service. Lot of code clean up and bug fixes.

	- Add X-Infection-Found and X-Virus-ID into icap response header.
	  This allow some commercial product like MoveIt DMZ to work with
	  c-icap/squidclamav service.
	- Fix compilation issue with c-icap 1.6.x versions. Old version of
	  c-icap ( < 0.2.x ) does not support icap template, this is now
	  detected at configure time. Thanks to Graham Har for the report.
	- Remove preview data enabling from mandatory option.
	- Allow use of non HTTP request used by ICAP client like c-icap-client
	  or request from commercial product such as Move It DMZ. For example:
	    c-icap-client -i 127.0.0.1 -p 1344 -f eicar.zip \
	    -s "squidclamav?allow204=on&force=on&sizelimit=off&mode=simple" -v
	  Thanks to Henry ken for the feature request.
	- Update Copyright
	- Udapte auto generated configuration and make files and fix several
	  compile time warning from squidclamav.c. Also fix an error message
	  wrongly displayed at squidclamav.conf fd close time.
	- Add MALWARE_FOUND icap template that will be displayed by Squid when
	  a malware is found instead of redirecting to the CGI (when redirect
	  configuration directive is not defined).
	- Tested squidclamav with c-icap 0.3.2
	- When there's no clamd running, die. bypass should be in the proxy
	  setup instead of in squidclamav code. Thanks to Peter Molnar for
	  the patch.
	- Clean up HTTP Response headers. Thanks to Peter Molnar for the patch.
	- Fix conflicting types for strnstr on freeBSD. Thanks to Mathias H for
	  the report.
	- Fix an issue on FreeBSD with squidclamav.conf parser reporting fatal
	  error into add_pattern.
	- Remove all of the built-in format tokens - these are included by c-icap,
	  so no need to duplicate them here. Thanks to Nathan Hoad for the patch.
	- Fix documentation about using template instead or redirect URL.
	- Lots of code cleanup and debugs method, similar to what Squid uses.
	  Thanks to Nathan Hoad for the patch.
	- Updated all documentation to mention new behaviour in the absence of
	  the redirection option. Thanks to Nathan Hoad for the patch.
	- Displaying a templated response on block instead of redirecting.
	  It supports all the format tokens that the LogFormat directive supports,
	  plus %mn for displaying the virus name as identified by ClamAV. Thanks
	  to Nathan Hoad for the patch.
	- Don't stub out __FUNCTION__ unless we're definitely on Solaris. Thanks
	  to Nathan Hoad for the patch.
	- Provide a macro to make debug messages much nicer. This updates messages
	  to display logs like so:
	      squidclamav.c(252) squidclamav_close_service: DEBUG clean all memory!
	  This makes debugging both nicer to read and write. Thanks to Nathan Hoad
	  for the patch.
	- Remove xfree, as any respectable compiler (i.e. one that follows the C
	  standard) won't crash if you call free(3) on NULL. Thanks to Nathan Hoad
	  for the patch.
	- Normalise indentation and remove all trailing whitespace. No functional
	  changes. Thanks to Nathan Hoad for the patch.

SquidClamav 6.10, Saturday October 27 2012

        - Replace clamd STREAM by zINSTREAM protocol as clamav have removed
          the obsolete STREAM protocol in release 0.97.4. Thanks to Vasan and
          Raja Lakshmi for the report.

SquidClamav 5.11, Monday October 29 2012

This is a quick fix release to prevent squidclamav to fill the log file with debug message.

    - Fix printing level of debug message when printing chunk sent to clamd.
      Thanks to Yuri Voinov for the report.

SquidClamav 5.10 & SquidClamav 6.10, Saturday October 27 2012

This new release replace clamd STREAM deprecated protocol by INSTREAM, previous version of squidclamav will not works with clamav upper that 0.97.3 release.

Version 6.10
    - Replace clamd STREAM by zINSTREAM protocol as clamav have removed the obsolete STREAM protocol in release 0.97.4. 

Version 5.10
    - Replace clamd STREAM by zINSTREAM protocol as clamav have removed the obsolete STREAM protocol in release 0.97.4.
      Thanks to Vasan and Raja Lakshmi for the patch.
    - Fix issue with sigaction sa_mask by using sigemptyset and sigaddset.
    - Replace signal() by sigaction calls. Thanks to John Xue for the report. 

Please upgrade, test it and report any issue.

SquidClamav 6.9, Tuesday August 28 2012

This release fix a main issue in support to Clamav Google Safe Browsing.

    - Add 'safebrowsing' configuration directive to enable/disable Safe
      Browsing detection.
    - Fix support to Clamav Google Safe Browsing that need a second query to
      clamd because the url need to be embeded in an email like content.
      Thanks to frOgz for the report.
    - Documentation updated for safebrowsing and proxy configuration variables.
    - All redirect CGI scripts have been rewritten with some CSS and to better
      handle virus vs malware. Thanks to frOgz for the patches.
    - Tested SquidClamav with Squid 3.2 successfuly. 

SquidClamav devel on github, https://github.com/darold/squidclamav

The latest development code of SquidClamav is available from github.org.

SquidClamav 5.9, Saturday August 25 2012

This release fix a main issue in support to Clamav Google Safe Browsing.

        - Add 'safebrowsing' configuration directive to enable/disable
          Safe Browsing detection.
        - Fix support to Clamav Google Safe Browsing that need a second
          query to clamd because the url need to be embeded in an email
          like content. Thanks to frOgz for the report.
        - Documentation updated for safebrowsing and proxy configuration
          variables.

Update installation page, Thuesday July 26 2012

There's now a new part in the Install page that list some material about SquidClamav, like howtos, packages and other. If you want a link here please drop me a line!

SquidClamav 6.8, Thuesday July 26 2012

This is a quick release that fixes compatibility issues with new c-icap 0.2.x, many people ask for this support.

        - Compatibility fix with new c-icap 0.2.1 release that prevent
          squidclamav service to be initialized. Thanks to Martin Matuska
          for the patch.
        - Fix issue with new c-icap 0.2.1 release that generate an error
          error each time squidclamav return CI_MOD_204 in end of data
          handler function. Thanks to Martin Matuska or the patch.

SquidClamav 6.7, Tuesday July 24 2012

This release prevent squidclamav to segfault with escaped special characters passed into URL that are sent to squidguard by the obsolete squidguard configuration directive.

	- Add a workaround for a squidGuard bug that unescape the URL and send it back unescaped.
	  This result in garbage staying into pipe of the system command call and could crash
	  squidclamav on next read or return false information. This is specially true with URL
	  containing the %0D or %0A character. Thanks to John Xue for the report.
        - Update documentation about the recommanded way to call squidGuard through the use of
	  url_rewrite_program in squid.conf. You may not use the squidguard configuration directive
	  into squidclamav.conf.

SquidClamav 5.8, Tuesday July 24 2012

This release fix several security issues by escaping CGI parameters and preventing squidclamav to segfault with escaped special characters in URL.

	- Add a workaround for a squidGuard bug that unescape the URL and send it back unescaped.
	  This result in garbage staying into pipe of the system command call and could crash
	  squidclamav on next read or return false information. This is specially true with URL
	  containing the %0D or %0A character. Thanks to John Xue for the report.
	- Backport cgi scripts from 6.x branch to 5.x to apply a security fix. 

SquidClamav 6.6, Monday May 28 2012

This release fixes a bug with the trustclient directive when dnslookup was disabled and a complete rewrite of the maxsize related code.

	- Rewrite entirely the squidclamav behavior with the maxsize directive. The previous fix was only a workaround.
	- Fix a bug on 'trustclient' check part that was never executed if 'dnslookup' was disabled. Thanks to Kandalf for the report.

SquidClamav 6.5, Sunday January 15 2012

This is a maintenance release that fixes some pending bugs and adds more support to Safe Browsing ClamAv detection.

	- Fix a squidclamav crash when maxsize is removed from configuration
	  file or disabled/set to 0. Thanks to Pascal Bendeich for the report.
	- Fix an issue when downloaded file size is upper than clamd.conf limit
	  set into the StreamMaxLength configuration directive. Thanks to Arnvid
	  Karstad for the report.
	- All cgi Perl script have been modified to report unsafe browsing.
	- Add a note about ClamAV and the support for Google Safe Browsing
	  database. As clamd will returned something like:
		Safebrowsing. FOUND
	  this will be redirected by squidclamav just like if a virus was found.
	  Thanks to Michael Grasso for the request.

SquidClamav 6.4, Friday August 19 2011

This release fixes a second double free memory corruption and a mishandled pattern memory reallocation on "squidclamav:cfgreload" command call or c-icap threads restart.

	- Change default value for clamd_local configuration directive to the
	  common package default clamd local socket '/var/run/clamav/clamd.ctl'.
	- The origin of the double free corruption was partially found in last
	  release. It is now completely fixed. Thanks to Tim Weippert for the
	  report.
	- The call to squidGuard from SquidClamav by a bidirectional pipe seem
	  to make squid/c-icap system going slower and slower. The reason comes
	  from more and more pending squidGuard processes after c-icap threads
	  restart. The historical reason of this feature is related to Squid
	  version 2.x that doesn't allow to chained url_rewrite_program. I think
	  this is no more useful so the squidguard configuration directive will
	  be removed in next major release. Thank to Marco Schuth and David
	  Tannheimeri for the report.
	  You'd better use the Squid configuration file (squid.conf) and the
	  'url_rewrite_program' directive to use squidGuard. There's no plan to
	  reintroduce the call to squidGuard from SquidClamav at least until
	  squidGuard has a daemon mode or you really asked for it.
	- Fix an issue on reallocating mishandled null pattern array.

SquidClamav 6.3, Sunday June 26 2011

This is a bugfixes release.

        - Remove obsolete code on log_file configuration directive.
	- Fix double free corruption when sending a configuration reload
	  command: echo -n "squidclamav:cfgreload" >> /var/run/c-icap/c-icap.ctl
	  Thanks to David Tannheimer for the report. This bug appears only when
	  using local Unix socket to connect clamd.
	- Compatibility check with c-icap-0.1.6: ok

SquidClamav 6.1 is in debian unstable, Tuesday March 15 2011

Thanks to Tim Weippert, squidclamav v6.1 is now in debian unstable and should enter testing (wheezy) this week.

Tim is also preparing an up-to-date package for 6.2 that will be uploaded in the next days.

SquidClamav 6.2, Sunday Febuary 27 2011

This release fixes a crash when X-Client-IP is not forwarded by Squid and fix null username and client ip. There's also a new configuration option to toogle dns lookup to improve speed and remove possible DNS timeout.

If you've experienced signal 11 exit, please ugrade asap.

	- Fix squidclamav crash when X-Client-IP is not forwarded by default
	  from squid to icap, i-e: when 'icap_send_client_ip on' is not set
	  into squid.conf. Thanks to Diego Elio Pettenò for the patch.
	- Force client Ip and Username to '-' when they are not set or null.
	  Thanks to Alex for the report.
	- Fix a signal 11 when username was not set.
	- Add new configuration option 'dnslookup' to disable DNS lookup of
	  client ip address. Default is enabled for backward compatibility but
	  you must desactivate this feature if you don't use trustclient with
	  hostname in the regexp or don't have a DNS on your network.
	  Disabling it will also speed up squidclamav.

SquidClamav 5.7, Sunday December 11 2010

This release fixes minor bugs in the 5.x branch but can be helpful if you are blacklisted by some sites du to excessive call of head request.

	- Remove call to a HEAD request when there's no abortcontent configuration
	  directive. This is helpful if your ip address is blacklisted by some
	  site because they are receiving too much HEAD from you. Thanks to
	  cOre for the report.
	- Fix hard coding of /etc/squidclamav.conf. Now it is relative to the
	  prefix given as configure parameter (--prefix). Default is now to store
	  configuration file in /usr/local/etc/squidclamav.conf. Thanks to cOre
	  for the report.

SquidClamav 6.1, Friday October 29 2010

This release fix two major bugs, one prevent SquidClamav to compile on BSD* system and the other generate a sigfault when SquidClamav can't resolve the name of the remote host. Please upgrade asap.

	- Add missing "#include <signal.h>", compilation on BSD and possibly
	  other distribution was not working. Thanks to Alex for the report.
	- Fix segmentation fault by gethostbyaddr when remote client can't be
	  resolved. Thank to Valery for the report.

SquidClamav 6.0, Friday October 22 2010

This is the initial release of the v6.x branch. It works exactly as v5.x branch except that it now use the ICAP protocol and must be run as a c-icap server service. The goal of this first release is to port SquidClamav to the ICAP protocol to solve all limitations encountered in the previous releases (audio/video streaming, site with session like webmail, support of POST request, etc).

Next release will tend to have real on stream scanning and bypass the size limitation. Coming soon, but I first want to be sure that c-icap is the good choose for stability and performance but also that this new branch is stable and speed enough. I hope you make me feedback.

As SquidClamav is now an ICAP service, you must use Squid v3.x branch and install the excellent c-icap server of Tsantilas Christos available at http://c-icap.sourceforge.net/. Please download version c-icap-0.1.x, you don't need the c-icap-modules part.

The squidclamav.conf configuration file from v5.x is fully compatible but some directives are now obsolete, here is the list:

        squid_ip
        squid_port
        maxredir
        useragent
        trust_cache
        stat
        debug
        clamd_timeout

One have change, this is the 'timeout' directive that was used to set the timeout for libcurl download. As cURL is no more used, this timeout directive is now used to set the timeout for clamd connect. His default value is 1 second and can be set up to 10.

Others works as before. There's no packaging available yet.

YOU MUST tune the c-icap server following your need (number of users), see http://squidclamav.darold.net/tuning.html for the configuration directive that could help.

SquidClamav 5.6, Tuesday October 20 2010

This quick release fix compilation errors on CentOs and possibly other distribution and some compilation warnings

	- Fix compile error with CLAMD_TIMEOUT on CentOs and possibly more
	  distribution. Thank to Andrea Schoenberg for the report.
	- Fix compile warning on curl_easy_setopt with CURL_TIMEOUT.
	- Fix compile warning on execlp call.

SquidClamav 5.5, Monday October 19 2010

Release v5.5 is out!

This is the final release of the 5.x branch it fix some portability problem and curl timeout on slow sites. Here are the changes:

	- Remove use of longjmp, it is not portable enough, by a simple call
	  to of alarm and sigaction.
	- The clamd_timeout configuration has been removed. If you want to
	  change the default timeout of one second please edit squidclamav.h
	  and change the CLAMD_TIMEOUT second definition.
	- Add CURL_TIMEOUT constant in squidclamav.h for more easy change of
	  the timeout given to cURL to download a HTTP header. The defaut is
	  now 2 seconds. This fix the debug error message: bad header (28:
	  Operation timed out after 1000 milliseconds with 0 bytes received)
	- Fix several compilation warning.

This is the final release of the 5.x branch, there will be only bug fix release now. The official development branch is now 6.x and the first release will be available this week.

SquidClamav 6.0 Beta, Wednesday September 29 2010

Good news, the SquidClamav version based on the ICAP protocol is now in beta testing under heavy load (2500 users) and seems to works well and faster!

It still need some work on documentation and packaging and may be out around the 10 October.

SquidClamav 5.4, Friday August 06 2010

Release v5.4 is out, here are the change:

	- Fix bad handling of no running proxy and clamd daemon.
	- Add support for scanning SSL encrypted traffic with the new Squid
	  feature sslBump. Thank to Jean DERAM for the patch.
	- Remove obsolete escaping chars on chained system program call.
	- Add setsid on chained program call, this may solve zombie problem
	  on BSD system. Not fully tested.

SquidClamav 5.3, Tuesday Mars 23 2010

Release v5.3 fix the following issues:

        - Fix random squidguard redirection on wrong user by setting chained
	  program pipe line buffered. Thanks to Russ Wheatcroft for the report.
	- SquidClamav now logs chained program redirection with the original
	  user and ip address. Only if logredir configuration option is enabled.

	ERRATA: This patch was announced but not applied on v5.2.
	- Add workaround for Squid < 3.0 which made maxsize control fail on
	  location redirection so that content-length checked was always from
	  the redirection page. Thanks to Andre Struempfel for the report.

SquidClamav 5.2, Monday Mars 08 2010

Release v5.2 is out, see change bellow:

	- Fix configure and install on FreeBSD.
	- Fix chained program zombies on BSD system.
	- Add russian translation of clwarn.cgi. Thanks to Philipp (Zoonman)
	  for the contribution.
	- Fix error on debug printing of maxsize (using int instead of double).

SquidClamav 5.1, Sunday Febuary 21 2010

New release v5.1 is out, this is a bug fix release and openBSD port.

	- Fix overriding of old SquidClamav configuration file during install.
	- Fix process name return for squidguard fork that always be squidGuard
	  even if you're using an other redirector.
	- Fix configure and install on OpenBSD.
	- Change link to squidclamav site in CGIs.

SquidClamav 5.0, Monday Febuary 15 2010

SquidClamav v5.0 is finaly out, this version is not backward compatible with the 4.x configuration file. Here are the major changes:

	- Now SquidClamav will scan all downloaded files by default so that you just have to
	  configure what you don't want to scan. The default configuration file comes with
	  predefined exclusion to help.
	- SquidClamav now use extended regex, you can have multiple pattern in a single line.
	  For example to exclude images from scan you can use the following lines:
		abort ^.*\.(png|gif|jpg|ico)$
		abortcontent ^image\/.*$
	- SquidClamav is now able to perform failover on clamd connection. You can defined up
	  to 5 clamd ip addresses separated by a coma for the 'clamd_ip' configuration directive.
	  Thanks to Tuomas Haarala for the feature request.
	- The "whitelist" configuration directive now also abort the call to the chained program
	  (squidguard or other) as well as aborting virus scan. This is the difference with the
	  'abort' directive that only disable virus scanning.
	- There's also two new configuration directive:
	    'trustuser'   => allow to abort chained program and virus scan for a given ident username.
	    'trustclient' => allow to abort chained program and virus scan for a given client source
			     ip address or dns name.
	- The 'force' configuration directive have been removed as all is scan by default.
	- Source tree has been clarified and normalyzed. squidclamav.c has been renamed in pattern.c
	  and main.c in squidclamav.c
	- Add a bootstrap.sh file to create configure and makefile from scratch for developers.
	- Documentation has been reviewed and add a man file squidclamav.1
	- Add packaging support for RPM, SlackBuild and Debian package. See packaging/ directory.
	- Remove code for call to chained program in command line if bidirectional pipe failed.
	- Fix install on OpenSolaris complaining about missing -lnsl and -lsocket library at compile
	  time.

SquidClamav Web site, Sunday Febuary 07 2010

SquidClamav Web site has been released today, I hope you will love it.

SquidClamav 4.3, Wednesday January 27 2010

SquidClamav v4.3 is out, this is the latest version of the 4.x branch. New release v5.0 coming soon.

Free and Open Source...
but worth more! Consider
a Donation